Aggressive ransomware scam redirects to child porn

Getting denounced for viewing or owning child pornography is a huge deal in most Western world countries, so it’s no wonder that ransomware peddlers are using that specific – and in this case true – accusation to force victims to part with their hard-earned cash.

The author of the Malware don’t need Coffee blog has recently discovered that a relatively new ransomware family dubbed Revoyem (aka DirtyDecrypt) has been terrorizing users all over Europe, Canada and the US (click on the screenshot to enlarge it):

“From a Porn website, you are redirected by a TrafficHolder malvert to a Child Porn themed page (impact 1 : images are highly disturbing here) from which you get infected via Styx which drop you a Ransomware locking your computer displaying disturbing images and telling you just viewed illegal content (impact 2 – amplified cause it’s true…you just viewed illegal content even if you’ve been driven there against your will),” the blogger explains how the attack unfolds.

The victim is presented with laws they have broken, are told the penalties they face, but are also reassured that their computer will be unlocked and they will not have to face prosecution if they pay a significant fine via MoneyPak or PaysafeCard.

Users in different countries see the warning in their own language and it appears to be coming from their own national law enforcement agency.

If you are ever faced with a similar notice, the best thing to do is to actually consult with the police. Given the proliferation of ransom scams like this one, chances are overwhelmingly in your favor that the police is already aware of similar attempts.

Some types of ransomware can be made to unblock the affected computer by typing in a credible payment code that you have supposedly received after paying the fine.

If you are lucky enough to find online an account of someone who has done it and has shared the code with the public, you might be able to unblock the computer yourself. Just remember to scan it afterwards and remove from it the ransomware and any other malware you might find.